Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical

Re: JSON::XS and unicode

by fluffyvoidwarrior (Monk)
on Sep 10, 2012 at 10:52 UTC ( #992719=note: print w/replies, xml ) Need Help??

in reply to JSON::XS and unicode

This may not be a very popular viewpoint but I would question the security wisdom of using JSON as a vehicle to transport code objects between client side javascript and server side perl. I think it unwise primarily because the json data cannot be properly washed of potential exploit code without breaking the javascript object functionality. It is relatively easy to write your own json equivalent transport system (in Perl of course) using secure objects that maintain data typing and rebuild these on the client after XMLHttpRequest exchanges. If you're creating a web app you MUST MUST MUST wash ALL input or you WILL get screwed over....sooner or later. Just my opinion, it would be interesting to hear others.

Replies are listed 'Best First'.
Re^2: JSON::XS and unicode
by Corion (Pope) on Sep 10, 2012 at 10:59 UTC

    Neither JSON::XS nor the natvie JSON parsers in Javascript execute Javascript code. They all (should) parse the text and reconstruct the data structure using a JSON parser, not the Javascript eval statement, exactly for the reason of not allowing easy Javascript code execution within the page context.

    The web application should support that by sending the appropriate content type - which is application/json, at least according to RFC 4627.

    Using JSONP sacrifices that security for the convenience of circumventing the same origin policy.

      Indeed, yes. No-one in their right mind would actively and intentionally execute passed code. Maybe I'm paranoid, but I won't have executable code coming in from the network under any circumstances. Before I'll accept it, it must be not capable of being executed. Accepting executable code and then trusting that it will never be called... erm... Just seems to me that if you were going to attack a system you would look very closely at JSON and related parsing mechanisms because code is, by definition, already accepted. You're already half way there. In fact you have been supplied with a ready built framework for injecting your malice. After all, if it isn't runnable code it isn't JSON and PHP plus JSON seems like a perfect storm. It's just not likely to be failsafe. At least Perl can be made failsafe.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://992719]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (4)
As of 2018-05-27 02:01 GMT
Find Nodes?
    Voting Booth?